METHOD OF MALWARE DETECTION AND SYSTEM THEREOF

US 20160042179A1
Filed: 08/11/2014
Published: 02/11/2016
Est. Priority Date: 08/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of detecting malware in real time in a live environment, the method comprising:

monitoring one or more operations of at least one program concurrently running in the live environment;

building at least one stateful model in accordance with the one or more operations;

analyzing the at least one stateful model to identify one or more behaviors; and

determining the presence of malware based on the identified one or more behaviors.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a system and a computer-implemented method of detecting malware in real time in a live environment. The method comprises: monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.

Citations

41 Claims

1. A computer-implemented method of detecting malware in real time in a live environment, the method comprising:
- monitoring one or more operations of at least one program concurrently running in the live environment;
  
  building at least one stateful model in accordance with the one or more operations;
  
  analyzing the at least one stateful model to identify one or more behaviors; and
  
  determining the presence of malware based on the identified one or more behaviors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The computer-implemented method of claim 1, wherein the monitoring further comprises:
    - generating event data characterizing one or more events, each of said events being indicative of a corresponding monitored operation of the one or more operations.
  - 3. The computer-implemented method of claim 2, wherein the monitoring the one or more operations further includes:
    - selecting at least one operation of interest from the one or more operations, and monitoring the selected at least one operation of interest.
  - 4. The computer-implemented method of claim 3, wherein the at least one operation of interest includes one or more in-process operations and/or one or more kernel related operations.
  - 5. The computer-implemented method of claim 4, wherein the kernel related operations include one or more of the following:
    - file system operations, process and memory operations, registry operations, and network operations.
  - 6. The computer-implemented method of claim 4, wherein the in-process operations are monitored by intercepting one or more library calls representing said in-process operations.
  - 7. The computer-implemented method of claim 4, wherein the kernel related operations are monitored by intercepting one or more system calls representing said kernel related operations.
  - 8. The computer-implemented method of claim 4, wherein the kernel related operations are monitored by registering one or more kernel filter drivers for said kernel related operations via one or more callback functions.
  - 9. The computer-implemented method of claim 2 further comprising, for each event of said one or more events, generating a respective event data characterizing said event, wherein said event data includes at least the following attributes of said event:
    - operation type, and source of the event.
  - 10. The computer-implemented method of claim 1, wherein said at least one stateful model includes one or more objects derived from said one or more operations and one or more relationships identified among said objects in accordance with said operations.
  - 11. The computer-implemented method of claim 10, wherein each of said objects represents an entity involved in the operations and is of a type selected from a group that includes:
    - process object, file object, network object, registry object, and windows object.
  - 12. The computer-implemented method of claim 1, wherein each of said at least one stateful model is a program-level stateful model that represents a sequence of linked operations related to a given program of said at least one program.
  - 13. The computer-implemented method of claim 1, wherein said at least one stateful model is a system-level stateful model that represents operations related to all programs that run concurrently in the live environment.
  - 14. The computer-implemented method of claim 13, wherein said system-level stateful model includes one or more program-level stateful models each representing a sequence of linked operations related to a given program of said all programs.
  - 15. The computer-implemented method of claim 1 further comprising:
    - monitoring one or more kernel related operations of said at least one program;
      
      building at least one stateful model based on said monitored kernel related operations;
      
      analyzing the at least one stateful model to identify one or more behaviors; and
      
      determining the presence of malware based on a behavioral score of said stateful model.
  - 16. The computer-implemented method of claim 15 wherein said at least one stateful model includes one or more objects derived from said one or more operations and one or more relationships identified among said objects in accordance with said operations.
  - 17. The computer-implemented method of claim 15 wherein the kernel related operations include one or more of the following:
    - file system operations, process and memory operations, registry operations, and network operations.
  - 18. The computer-implemented method of claim 15 further comprising monitoring the one or more kernel related operations by registering one or more kernel filter drivers for said kernel related operations via one or more callback functions.
  - 19. The computer-implemented method of claim 9, wherein the building the at least one stateful model comprises:
    - for each said event data associated with said event;
      
      normalizing the event data giving rise to an abstract event;
      
      retrieving one or more objects from the abstract event, each of said objects representing an entity involved in a corresponding operation and being of a type selected from a group that includes;
      
      process object, file object, network object, registry object and windows object, at least one of said objects representing the source of the event;
      
      identifying one or more relationships among the objects in accordance with said abstract event, and generating respective associations among the objects corresponding to the identified relationships, giving rise to an event context comprising the one or more objects and the associations therein;
      
      in case of said event being a first event of a stateful model, generating said stateful model including said event context;
      
      otherwise updating a previous stateful model based on the event context, giving rise to an updated stateful model, said previous stateful model corresponding to at least one previous event that precedes the event.
  - 20. The computer-implemented method of claim 19, wherein said updating further includes:
    - in case said previous stateful model includes said one or more objects, adding the associations of said event context to said previous stateful model, giving rise to said updated stateful model;
      
      otherwise in case of at least one object of said objects being a new object that is not included in said previous stateful model, adding said new object and the associations of said event context to the previous stateful model, giving rise to said updated stateful model.
  - 21. The computer-implemented method of claim 19 further comprising selecting selected event data associated with events of interest from said event data based on one or more predefined filtering rules and applying said normalizing of the event data with respect to said selected event data.
  - 22. The computer-implemented method of claim 21, wherein the one or more predefined filtering rules include filtering out event data associated with the following events:
    - uncompleted events, memory related events in which a targeting process is not a remote process, and events in which a targeting process does not exist.
  - 23. The computer-implemented method of claim 19, wherein normalizing the event data includes:
    - formatting the event data; and
      
      parsing the formatted event data giving rise to the abstract event.
  - 24. The computer-implemented method of claim 19, wherein the analyzing the at least one stateful model includes:
    - analyzing the event context in view of the stateful model or the updated stateful model in accordance with one or more predefined behavioral logics, anddetermining the presence of at least one behavior of said one or more behaviors upon any of said predefined behavioral logics being met, said at least one behavior related to a sequence of events of the stateful model including at least said event.
  - 25. The computer-implemented method of claim 24, wherein the predefined behavioral logics include determining a behavior of self-execution when the following condition is met:
    - a target of an event is an object that is included in the stateful model.
  - 26. The computer-implemented method of claim 24 wherein each of the at least one behavior is assigned with a respective behavioral score.
  - 27. The computer-implemented method of claim 26, wherein the determining the presence of malware further includes:
    - in case of said at least one behavior being determined;
      
      searching if there is a previous stateful model score associated with the previous stateful model, the previous stateful model score being an aggregated behavioral score of all previous behavioral scores assigned for respective previous determined behaviors, said previous determined behaviors being related to the at least one previous event of the previous stateful model,if not, determining a sum of said respective behavioral score assigned for each of the at least one behavior as the stateful model score associated with the stateful model;
      
      otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score;
      
      comparing the stateful model score with a predefined threshold; and
      
      determining the presence of malware if the stateful model score passes the predefined threshold.
  - 28. The computer-implemented method of claim 27, wherein the respective behavioral score is assigned with a corresponding weight factor if a condition is met, and said increasing comprises applying the corresponding weight factor to the respective behavioral score giving rise to a respective weighted behavioral score, and increasing the previous stateful model score with a sum of the respective weighted behavioral score assigned for each of the at least one behavior.
  - 29. The computer-implemented method of claim 28, wherein the condition includes that a source of an event is a remote process and a target of the event is a system process.
  - 30. The computer-implemented method of claim 1, wherein the method further comprises:
    - eliminating determined malware by remediating the one or more operations indicated by the stateful model.

31. A system for detecting malware in real time in a live environment, the system comprising a processor configured to perform at least the following:
- monitor one or more operations of at least one program concurrently running in the live environment;
  
  build at least one stateful model in accordance with the one or more operations;
  
  analyze the at least one stateful model to identify one or more behaviors; and
  
  determine the presence of malware based on the identified one or more behaviors.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The system of claim 31, wherein said at least one stateful model includes one or more objects derived from said one or more operations and one or more relationships identified among said objects in accordance with said operations.
  - 33. The system of claim 32, wherein each of said objects represents an entity involved in the operations and is of a type selected from a group that includes:
    - process object, file object, network object, registry object, and windows object.
  - 34. The system of claim 31, wherein each of said at least one stateful model is a program-level stateful model that represents a sequence of linked operations related to a given program of said at least one program.
  - 35. The system of claim 31, wherein said at least one stateful model is a system-level stateful model that represents operations related to all programs that run concurrently in the live environment.
  - 36. The system of claim 35, wherein said system-level stateful model includes one or more program-level stateful models each representing a sequence of linked operations related to a given program of said all programs.
  - 37. The system of claim 31, wherein the processor is further configured to perform the following:
    - monitor one or more kernel related operations of said at least one program;
      
      build at least one stateful model based on said monitored kernel related operations;
      
      analyze the at least one stateful model to identify one or more behaviors; and
      
      determine the presence of malware based on a behavioral score of said stateful model.
  - 38. The system of claim 37, wherein said at least one stateful model includes one or more objects derived from said one or more operations and one or more relationships identified among said objects in accordance with said operations.
  - 39. The system of claim 37, wherein the kernel related operations include one or more of the following:
    - file system operations, process and memory operations, registry operations, and network operations.
  - 40. The system of claim 37, wherein the processor is further configured to monitor the one or more kernel related operations by registering one or more kernel filter drivers for said kernel related operations via one or more callback functions.

41. A non-transitory program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for detecting malware in real time in a live environment, the method comprising:
- monitoring one or more operations of at least one program concurrently running in the live environment;
  
  building at least one stateful model in accordance with the one or more operations;
  
  analyzing the at least one stateful model to identify one or more behaviors; and
  
  determining the presence of malware based on the identified one or more behaviors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Original Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Inventors
WEINGARTEN, Tomer, COHEN, Almog, SHAMIR, Udi, MOTIL, Kirill

Granted Patent

US 9,710,648 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

METHOD OF MALWARE DETECTION AND SYSTEM THEREOF

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD OF MALWARE DETECTION AND SYSTEM THEREOF

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links